How to debug Spring Security authorization annotations?
Solution 1
Set the log level of org.springframework.security to debug. On invoking the method with annotations, you can find log messages that indicate interceptor being applied, especially look for: DEBUG MethodSecurityInterceptor
Updated: That means there is some config difference between your sample app and main app Some pointers to look for:
the <global-method-security> tag needs to be in the same context as your Spring MVC configuration otherwise your controllers will not be post processed. Refer: http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/faq.html#faq-method-security-in-web-context
you might need pre-post-annotations="enabled", with expressionHandler set.
make sure tag <global-method-security> is in application context
Solution 2
You can add to your application.yaml:
logging.level.org.springframework.security: DEBUG
Or add to application.properties:
logging.level.org.springframework.security=DEBUG
Or add to your WebSecurityConfig annotation EnableWebSecurity with debug = true:
@Configuration
@EnableWebSecurity(debug = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
// ...
}
Solution 3
In case you just want to know, which method failed, simply set the logging level for this exception filter:
logging.level.org.springframework.security.web.access.ExceptionTranslationFilter: TRACE
It will only show the stack trace with the failed method and not spam your logs more than necessary ;-)
Alexander
Updated on June 05, 2022Comments
-
Alexander almost 2 years
I have spring security application in which want to enable annotations security (pre and post authorization). I also have small sample application in which i have implemented it already. Everything works. But moving configs to main applications failed. There is no errors in console. But annotations do not work. It seems, they are not readed at all. All configuration and component versions are completely the same.
There are
<security:global-method-security secured-annotations="enabled" />records in security-context and servlet-context. But neither @Controller methods no @Service methods are secured with annotation in main application.
How can i debug it?
Solved!
After switch from < global-method-security secured-annotations="enabled" /> to pre/post annotations works fine.
-
Alexander over 9 yearsin sample application i see MethodSecurityInterceptor and ExpressionBasedPostInvocationAdvice . but in main application there are no one of them (only intercept.FilterSecurityInterceptor).
-
Alexander over 9 yearsthe question was, how can i debug the reasons annotations are not used.
-
Alexander over 9 yearsyou are right! pre-post-annotations instead of secured works.
-
Artem Ptushkin over 2 yearsthis is a good one actually, in well-maintained apps we don't want to see more than we need, I wonder why people just enable debug on the whole security package... but there are onlytracelogs, so it should be: TRACE